Certificate Authorities: A Means to Advanced Security, But Not the End

Certificate authorities (CAs) are critical links in the chain that ensures the quality and integrity of enterprise IT security, compliance and operations. CAs issue and ensure valuable third-party trust for human-to-machine and machine-to-machine communications and authentication. However, leveraging the security benefits of trust providers like CAs doesn't relieve your organization of its management responsibilities.

On the contrary, effective encryption key and certificate management processes based on best practices are as critical to your organization’s security profile as are certificates and keys themselves. To understand what your organization should seek in a management solution, it might be helpful to first understand the roles CAs and digital certificates play on the security-solutions stage.

Encryption 101

CAs issue digital certificates to organizations or individuals after verifying their identities. Digital certificates go hand-in-hand with associated encryption keys. Together, the certificates and keys keep sensitive files, systems and servers secure, compliant and running. Today's enterprises rely on thousands —and sometimes even tens of thousands—of certificates and keys to authenticate users, servers and applications. Much like IDs and passwords, applications use certificates and encryption keys to protect valuable data and authenticate systems.

With so many certificates and keys on the network, in cloud and virtual environments, and increasingly on mobile devices and tablets (to authenticate applications back to the network), enterprises face increased risks if they do not properly control and manage them. How effectively are organizations doing this? Recent research highlights alarming facts: Organizations have little idea how many of these critical security instruments they have in their inventories, where their encryption assets are deployed, who has access to them or how they are managed.

Organizations must regularly inventory certificates for a number of reasons. If a certificate were to expire suddenly and without warning, your organization’s employees, customers and partners could be blocked from accessing critical applications and systems. If a stolen certificate entered your organization's network undetected, it could launch malware capable of siphoning valuable, regulated information or inflicting physical destruction (remember Stuxnet?). If your CA were compromised, your organization could end up being the conduit for a man-in-the-middle attack. Appropriate recovery and business continuation and continuity (BCC) plans require the ability to find, revoke and replace compromised certificates—within minutes or hours, not days, weeks or months.

CAs do a great job of issuing certificates, and some provide rudimentary management tools for their certificates. These tools, however, are not effective when organizations use certificates from multiple CAs (a best practice), especially when they have deployed hundreds or thousands of certificates from each CA. Again, the job of managing certificates and encryption keys lies with the entities using them—not with the issuers—which makes robust discovery, inventory, monitoring and management capabilities as indispensible as CAs and the certificates they issue.

Good management solutions, like good employees, can be hard to find

A critical starting point in any management strategy is to create a comprehensive inventory of certificates and keys, followed by a careful analysis of the inventory and its policy-compliance status. Without this data, it is difficult to ensure information is secure, keep networks up and humming along, and fulfill information-security regulations.

The process of manually creating an accurate and exhaustive inventory of encryption certificate and key populations can be complicated enough to easily command an article of its own. The suggestions here just touch upon this complex process. First, remember that institutional memory plays a big role in manually creating inventories because in most organizations, a variety of administrators have deployed certificates in many locations over a period of years. Thus, it is best to take a multi-pronged approach that includes reaching out to individual administrators and business-service owners to ensure that you do not overlook any certificates.

During the inventory process and afterward, organizations might be tempted to increase their IT staffs to support their manual-management processes. But manual processes involve human error, which inherently increases the chance of introducing vulnerabilities. With manual processes, it is also more difficult to ensure that keys comply with regulations.

Instead, organizations should look for solutions that automate key and certificate management processes (a best practice). Automated approaches eliminate organizations’ encryption-compliance pain points and ensures that their encryption keys are distributed, deployed, and maintained according to industry standards and best practices, thus enabling them to pass compliance audits with flying colors.

Research assistance

Fortunately for organizations in search of automated management solutions, analyst firms such as Gartner are producing new and more frequent reports that outline which vendors are leading in the space. In one of Gartner’s more recent reports, X.509 Certificate Management: Avoiding Downtime and Brand Damage, Gartner analysts Eric Ouellet and Vic Wheatman write:

“Organizations are often not aware of the scope or the validity status of their X.509 certificate deployments until it is too late. Organizations need to establish formalized plans and, if necessary, leverage available tools to minimize impacts.”

To help organizations narrow their searches for these tools and cut through the fear, uncertainty, doubt (FUD) and vendor hype, the two analysts go on to name a number of vendors that can provide effective levels of management.

Gartner isn't the only organization answering questions around effective management. Firms such as the 451 Group and Aberdeen have begun to research and report on the issue, and leading conferences such as RSA and Black Hat have hosted customer and vendor sessions on it.

If your organization is confused about what to seek in its automated certificate and key management solution, this new wealth of resources can help it determine what it needs, and which vendors can meet its needs. A bit of simple homework on your part can put your organization on the fast track to getting a management handle on all of your encryption instruments.

Jeff Hudson serves as CEO of Venafi. A key executive in four successful, high-technology start-ups that have gone public, Hudson brings over 25 years of experience in IT and security management. Prior to joining Venafi, Hudson was the CEO of Vhayu Technologies which was acquired by ThomsonReuters. Prior to Vhayu, Hudson held numerous executive leadership posts, including CEO and cofounder of MS2, SVP of Corporate Development at Informix Software, CEO of Visioneer, and numerous senior executive posts at NetFRAME Systems and WYSE Technology. He started his career with IBM. Mr. Hudson earned a B.A. in communications at the University of California, Davis.